Exploring the Data Integrity Ordinance in Pharmaceutical Domain

Since the birth of pharmaceutical industry, “Data” has been the crucial element of introducing the drug into market. If the data is incomplete, inaccurate or manipulated, then it becomes valueless for any regulatory submission process. The quality of the product is determined by the data collected.¹ That is why the integrity of data has been gaining a lot of focus from both companies and regulatory authorities. Data integrity in the pharmaceutical sector comprises accurately gathering and documenting data, as well as safeguarding data against inadvertent or intentional alterations, fabrication, deletion, or destruction.² The main purpose of data integrity preservation is to detect and prevent human or unintentional, intentional, or deliberate errors during data gathering, as well as to safeguard original data from modifications, falsifications, or even deletion during data life cycle management. Data quality and integrity can be jeopardised by insufficient mentoring or training in data handling, a lack of proper supervision and attention to detail, and improper data collection techniques. Fabricating, falsifying, collecting or selecting data for desired results, and testing until desired results are reached are some examples of integrity breach and unethical practices which might lead to a non-compliance statement, warning letters, an importation restriction, fines, and penalties. Reputational damage, safety alerts, stock price reductions, business harm, product recalls, market withdrawals, and, in certain cases, company closures, resulting in the loss of tens of thousands of employment.³

The earliest signs of data integrity problems in the pharmaceutical sector were discovered in the 1980s, when it was discovered that some generic medication manufacturers had submitted false data to the FDA on their Abbreviated New Drug Applications (ANDAs). Before submitting name brand medications for bioequivalency testing, some of these generic drug manufacturers repackaged them as samples of their own goods.⁴ While the generic drug controversy brought data integrity to the attention of the FDA, it wasn’t until 2000 that the agency issued its first data integrity warning letter to a pharmaceutical business. In the years since, the FDA has issued a slew of warning letters and form 483 observations linked to data integrity issues.⁵ For example; Out of specification (OOS), out of trend (OOT) results, audit trails, back-dating, advance-dating, duplication of data, falsification and fabrication of data, manipulation ordiscarding data, suboptimal employee training, unjustified retooling, mutual passwords, common loginsare the most common causes of data integrity breaches in the field of QC. While Limited data, insufficient SOPs, employee training, recording incorrect data, not capturing data contemporaneously, inability to keep complete records of equipment maintenance, unsatisfactory batch record and not manufacturing the drug prescribed in the master file are all examples of data integrity violations in the manufacturing field.⁶

Economic and regulatory pressures on pharmaceutical manufacturers are increasing as the generics market grows quicker. There has been a dramatic increase in the quantity and types of data integrity issues highlighted in regulatory inspections in recent years.⁷ Over the past decade, regulatory agencies have created data integrity specific guidance which try to put emphasis on importance of data lifecycle management with the help of quality systems. Implementing data controls and management without first understanding the regulatory and legal processes might lead to data with doubtful authenticity, which could lead to regulatory action. DI is a road map for guaranteeing the accuracy and consistency of data throughout its lifecycle.⁸

The FDA’s mandate to assure the safety, efficacy, and quality of human and veterinary medicines, biological products, and medical devices includes data integrity verification. As a result, the FDA expects all data submitted to the agency to be both dependable and accurate.⁹ The FDA’s authority for cGMP comes from section 501 of the FD&C Act, which states that a drug is adulterated if the methods used in, or the facilities or controls used for, its manufacture, processing, packing, or holding do not conform to, or are not operated or administered in conformity with current good manufacturing practise to assure that such drug meets the requirements of the act as to safety and has the identity and strength, and meets the quality and purity characteristics.¹⁰

Data must be dependable and trustworthy to the point where it can survive scrutiny during regulatory inspections, according to the FDA. The FDA specifies in its recently issued guidance on data integrity that data integrity refers to the completeness, consistency, and accuracy of data for the purposes of this guidance.¹¹ Whether the data is captured on paper or electronically, it is a part of the data lifecycle. From the outset of data generation and recording through the process (including transformation or migration), use, retention, retrieval, and destruction, ALCOA assists in making data full, consistent, and accurate.

It was first illustrated by USFDA and eventually other regulatory agencies adopted the idea.¹²

ALCOA is a set of acronyms on which the whole concept of data and its integrity is based upon. When data collected, it has to satisfy the ALCOA principle in order to maintain the reliability and truthfulness which will help the authorities in decision making.

It states clearly who took the data or did the activity, as well as who wrote the document and when it was prepared. Every piece of information gathered in writing must be traceable back to the individual in control. The signature of the in-charged person must be utilized in order for the data to be traceable. Every detail of the date-time of creation, change, and deletion must be recorded. Individual login credentials and passwords should be used by each individual. Under no circumstances should personal login details and passwords be shared.

After the data is recorded, the data for paper-based records must be easy to read and analyze. Throughout the data life cycle, the records should be permanent and should not be damaged. Handwritten documents are prone to grammatical and spelling problems; therefore, they should be thoroughly examined and fixed if necessary. There should be no untranslated hieroglyphics in the documents. Permanent memory should be used to store computer-based data. When altering or modifying data, the data from the permanent memory should not be erased.

It indicates that data must be recorded as soon as it is generated. The site where data is generated should be close to where data is recorded. A cause must be supplied if there is a change in the time of recorded data and generated data that is correct and confirmed. Validation protocol can be used if necessary.

The source data, also known as original data, must be retained in its original state. If the information is written down on paper, the original copies should be kept. If the data is recorded electronically, it should be saved in its original format. If changes to the original data are made, they should be clearly described and reviewed. To avoid undesirable alterations, an appropriate protocol should be developed. Separate files or folders must be kept for properly certified copies of the original data.

Accuracy refers to the truthfulness with which data is collected or preserved; data must accurately reflect the activity or observation performed. It should be devoid of errors. Data should be double-checked, and if any modifications are made, a thorough explanation with supporting evidence is required.¹³

ALCOA-plus^14,15

It is an inherent fundamental ALCOA concept typically abbreviated as attributable, legible, contemporaneous, original, and accurate which additionallyemphasises the qualities of being comprehensive, consistent, enduring, and available.

It means that all data, including test, reanalysis, performance, and sampling, must be complete. For data integrity, the entire set of data is required.

All parts of the analysis, such as the sequence of events, are consistent, and data files are date (all processes) and time (when utilizing a hybrid or electronic system) stamped in the correct order.

All data has been recorded on allowed media that may be retained for a period of time, such as laboratory notebooks, numbered worksheets, or electronic media, for which there is accountability. Data written on scrap paper or any other medium that can be discarded later, such as the backs of envelopes, laboratory coat sleeves, or post-it notes, is not considered permanent.

This is a continuation of ENDURING, in which data must not only be preserved, but also be accessible at a specific moment, such as during an inspection or audit trial.

According to the FDA’s ‘Data Integrity and Compliance with cGMP’ guidance document, companies must implement adequate controls and oversight to ensure data integrity. Companies must create relevant and effective strategies to manage their data integrity risks based on their process understanding and knowledge management of technologies and business models, according to the FDA. Even though the FDA has not discovered any instances of real data deletion, falsification or change, companies that do not have proper data integrity controls and monitoring are considered to be in breach of GMP requirements. For just allowing situations to exist where data could be modified or erased, warning letters have been sent.

This question-and-answer document is primarily focused on the interpretation of sections of the cGMP requirements (21 CFR 11, 210, 211, and 212) that deal to data integrity issues in a pharmaceutical manufacturing setting. The guidance’s major goal appears to be to provide clear and succinct solutions to frequent problems in an easy-to-understand Q&A format.¹⁶

Here are the key requirements that FDA has discussed in cGMP scenario to preserve data integrity.

Metadata is information about other data that is required for the reconstruction of cGMP records. Metadata describes, clarifies, or otherwise enables to retrieve, utilize, or manage data, according to its definition. Date/time stamp showing when the data was collected, user ID of the person who created the data, Identification of the system or instrument used to acquire the data, information valuable in interpreting the data, audit trails, and so on are all examples of metadata. Data should be retained throughout the record’s retention period, together with all related metadata essential to reconstruct the CGMP activity, according to the FDA.¹⁷

Static is used to represent a fixed-data record, such as a paper document or an electronic image, for the purposes of this guidance, the FDA says, and dynamic means that the record format facilitates interaction between the user and the document content. Electronic records or data from certain kinds of laboratory instruments or equipment are dynamic records in the sense that they can be changed by a researcher. FDA requires that original records, whether static or dynamic, should be subjected to a second-person review to ensure that all test results are recorded correctly. It should be comprehensive and include all relevant metadata andmust be kept safe for the duration of the data retention period.

A secure, computer-generated, time-stamped electronic record that provides for the reconstruction of the course of events pertaining to the creation, modification, or deletion of an electronic record, according to the guidance. An audit trail is a chronology of a record’s who, what, when, and why. Audit trails are classified part of an associated record by the FDA, who advises that audit trails that capture changes to important data be examined with each record and before final approval of the record.¹⁷

Processes and data which do not influence product safety or compliance ought not to be audited in general.¹⁸ The objects that impact CQAs are audited which are known as audit trail elements.¹⁹ Audit trails that incorporate data changes should be evaluated by the same individuals that check records under cGMP. Based on the system’s complexity and intended use, the FDA suggests a routine planned audit trail review. The audit can be expedited by marking important things so that the auditor can rapidly sort them out for scrutiny.²⁰

The FDA advises that you validate computer systems not just for their intended application but also for their workflow. Validating a system for its intended usage guarantees that the workflow’s planned processes, specifications, and computations are correct.¹⁷ The Guidelines recommend that you create controls to limit risks related with software, hardware, employees, and documentation in your digital workflow. The evident consequence is that computer system validation should not be kept apart from the IT department, but rather should be linked to the company’s quality unit.

The FDA advises companies to establish computer system accessibility controls to ensure that only authorized individuals can make changes to documents.²¹ This means, among other things, that each individual using the computerised system must be able to be uniquely identifiable, and their actions within the system must be traceable through an audit trail. Personnel with access to change files or settings (for example, a system administrator) must be separated from those in charge of record content.²²

The FDA requires that all blank forms must be uniquely numbered and tracked since unregulated blank forms (e.g., worksheet, master production, laboratory notebooks, and control record, etc.) give a chance for fabricating data and/or testing into compliance. This procedure can be automated with electronic processes, which is a significant advantage over paper-based solutions.¹⁷

Electronic signatures could be used in substitute of handwritten signatures in any cGMP mandated record if adequate controls are in place. Companies that utilize electronic signatures should keep track of the controls they employ to guarantee that they can identify the specific person signing the records electronically and reliably link the signature to the corresponding record.²¹

To avoid testing into compliance, the FDA recommends doing system suitability tests using replicated injections of a standard sample or other standard solutions using actual product samples. It should be a fully characterised alternative standard, written procedures should be established and maintained, and the sample should be from a different batch than the sample being tested when an actual product sample is used to perform a system suitability test.¹⁷

When generated to fulfil a GMP criteria, all data becomes a GMP record, according to the FDA. Unless there is a legitimate, recorded, scientific rationale for its omission, all GMP records must be examined by the quality department as part of the release criteria. The FDA expects systems to be structured such that quality data that must be built and sustained cannot be manipulated, says the agency. This implies that the source document containing the data must still be kept in a secure location for the duration of the record retention term.²³

As part of a standard CGMP training programme, all personnel should be trained in detecting and preventing data integrity breaches, according to the FDA.

To show that you’ve remedied data integrity issues discovered during an inspection, the FDA suggests completing the following steps:

•Analyse the scope of the problem by hiring a third-party auditor.
•Create a corrective and preventative action (CAPA) plan for the entire company.
• Remove employees who are accountable for any violations from all cGMP roles.

There has been significant increase in warning letters regarding data integrity issues for past several years and mostly are consequences of negligence of proper SOPs and quality system specifically developed for data collection and process. Many personnel, particularly in developing nations, can attend a large number of training programs in a short period of time, yet studies show that up to 75% of this type of intensive training is ineffective.²⁴ Many times pharmaceutical manufacturers are under pressure to maintain or improve their market value. As a result, they either distribute the product without first obtaining consent from authorised people, or they may manipulate records if allowed access to the database system.^25–27 Transcription errors can occur occasionally, especially in systems involving manual data transmission to a company database employing hybrid computerised systems, resulting in erroneous data records. Challenges outside of specifications mentioned in the guidance will continue to show up due to growing technologies as we speak, wherefore the companies must develop requirements fulfilling the upgraded processes and equipment. Essentially, it appears that the legislation and guidance papers are thorough in terms of ensuring and fostering Data Integrity. They are, however, unable to prevent Data Integrity Breaches on their own. Most data integrity flaws are first discovered during onsite audits²⁸ or as a result of leaking or tipping,²⁹ by which time theproducts have been marketed and potentially inferior in quality products have been ingested by patients. As a result, in order to promote and ensure data integrity at an advanced level, regulation and advice must be reinforced by alternative techniques. According to a research by Yang, Sun, and Eppler, for any method to be successfully executed, the formulation must satisfy a specific standard, and inter- and intra-departmental connections should be sincere.³⁰ A further suggestion is to endorse data integrity is by obtaining aneffective database management.³¹ A DBMSstores data and when accessed, delivers them in a comprehensive format.³² With the quantitativevariationof data in the pharmaceutical manufacturing industry increasing, user-friendly and reliable database management systems are in high demand.^33,34 Companies and policymakers would be better off focusing on other data integrity issues if their systems were validated. All of the outsourcing solutions of data integrity preservation would not work if the knowledge of data integrity regulations is missing. As represented in this article, the interpretations of specifications and conditions depends on the overall objectives of a quality system. The terms explained in this article are very crucial to head start an effective data quality system implementation.

As data becomes more valuable, it must be prioritised in order to ensure consistency with least effort. While data integrity is not a new issue but with growing technologies, breaches of integrity keep making appearance in warning letters.The new FDA guidance is significant, and it answers many of the industry’s issues around data integrity interpretation, even if the answers offered may not always be accepted in context of the modifications that certain companies will need to undertake in order to comply. FDA has laid down Data Integrity preservation path so it’s up to the organisations and companies to build a quality system which encourages their employees to proactively seek solutions to satisfy and assure the integrity of the data. Companies should also keep in mind that data integrity standards extend to all aspects of GxP, and are not only limited to cGMP activities. Data integrity is a fundamental issue that must be addressed to maintain the safety and efficacy of the life-saving treatments.